"The best defense is a good offense!" ITW of Florian, ethical hacker
Today, I'd like to introduce you to Florian, a 29-year-old ethical hacker for the past seven years. We met some time ago, and he took the time to tell me about his job and his background. Basically, “Flo,” the name he goes by, offers to hack companies’ computer systems so they can better protect themselves efficiently from malicious attacks.
I asked him if his days were a bit like Elliot's (the guy from Mr. Robot), and I have to announce a spoiler alert: yes, he indeed spends his days in front of a black box coding green lines that scroll! Of course, there are some subtleties. Let's go and introduce them to you!
Kate: Hello Flo! Can you quickly introduce yourself?
Florian: Hi there, absolutely! My name’s Florian. I'm 29 and live in southern France. I got my master's degree in 2015, and then worked for three years as an employee at Deloitte and then Airbus before launching my own business in 2018. In 2021, I created Hackmosphere, which specializes in ethical hacking.
Kate: Where did you go to school?
Florian: Initially, I set out on coursework for a bachelor’s degree in networking and telecommunications at Sophia Antipolis. After two years in Scotland, I then went on to a master’s degree in information systems and networks. At the end of my studies, I was lucky enough to join Deloitte, this time in Amsterdam. That's where I really had my first experience as a cybersecurity consultant, and where I got to grips with ethical hacking. I was conducting research, for example, into unlocking cars remotely. Afterwards, I moved to Toulouse for a year with Hélène, my partner, and I worked for Airbus, but on the defensive security side. I had little choice since there were no offers on the market that met my skill set... That's when it dawned on me: why not create my own company?
Kate: And when did you dive into the “deep end?”
Florian: Back from a year of traveling around the world, I decided to start my own business. Deloitte had already contacted me some time ago to propose working together on a freelance mission, so I was ready to start my own business with my first solid client. No dice there: the along came COVID. But I didn't give up, and here I am today at the head of Hackmosphere. I now have several interns and freelancers working with me.
Kate: Would you mind explaining a little bit what ethical hacking is?
Florian: Plainly speaking, I help organizations of all sizes identify their cybersecurity flaws by performing pen tests. Basically, I make them come to terms with one central concept: “The best defense is a good offense.”
My role is to put myself in the shoes of the developer who created a site or a service in order to better identify vulnerabilities, loopholes in which I could break into to bypass the security system in place and take control of the server (if that's the objective). So, I launch automatic scans that will bring up a certain number of flaws, and in parallel I will also go around the app to dig and search manually.
Kate: More specifically, how and where do we learn about ethical hacking?
Florian: Great question! Even if some schools have integrated ethical hacking modules into their teaching, it’s still a sector of cybersecurity that hasn’t yet become all that popular. I'm lucky enough to teach grad students, and at this level, very few of them have ever done any ethical hacking. Basically, the school gives the basics and informs them about the existence of the profession. That's about it.
In fact, if you want to learn how to hack, it’s very simple: you have to practice! There are training sessions and even websites that can help you learn on your own. The perfect example is CTF, Capture the Flag. It's a series of challenges in the form of a game or puzzle that allows you to learn how to exploit vulnerabilities. Once you’ve done that, you get this "flag" which gives you points to increase your score!
Another example: Root me, a learning platform dedicated to Hacking. What's great about Root Me is that there is a scoring principle that evolves according to the tasks accomplished. To learn hacking, it's the best. Personally, I'd much rather recruit a young developer who never studied but who has a score that breaks everything on Root Me, than a student who never hacked but who has a degree in computer science. Practice makes perfect!
Kate: What's a day at Hackmosphere like?
Florian: So, let's work on a project basis. It usually starts with prospecting, and once I've identified a company that has cybersecurity needs, I work up an estimate and plan of attack. If they agree, we set key dates. I write a letter of commitment. This is the crucial step since it legally justifies my attack. On the predetermined day, I launch the attack! I have a Word document of about sixty pages, a guide for best practices, which leaves nothing to chance. Generally, the projects take me one to two weeks—it really depends on each company’s structure. On average, I detect about 10 issues per company, but in truth the number doesn't matter. It's the risk rate that counts, with a level ranging from 1 to 4. If I haven't found a high-risk or critical flaw, I often think I could have done a better job. That said, Maybe the company’s security is simply really solid!
Kate: And what does a hacker's gear look like?
Florian : I'm very keen on ergonomics. I work with a PC running Windows, which simulates a virtual machine running Linux. I also invested in what I think is a must: the gamer chair! And I have the best of the best: an electric sit/stand desk, for when I want to stretch my legs a bit. Oh, and my little peculiarity is that I have two mice: one for each hand. That’s from an old case of tendinitis that forced me to handle the mouse in both directions.